150 likes | 272 Vues
Shibboleth On-line Authentication System. Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd. Accessing a Web Resource. Request. Client. Server. W W W. Response. Client user accesses a free resource
E N D
Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd
Accessing a Web Resource Request Client Server W W W Response • Client user accesses a free resource • Client user is authenticated via a username and password to access a protected resource • Client user is responsible for setting up that account
Web Resources for Education • Educational establishments subscribe to resources on behalf of many users • Parts of a given resource may only be accessible by some of the users in a given educational establishment • The resources to which a given user has access change periodically
Authentication School Resource Available to all Authentication Available to year 3 and above Students Available to year 6 and above Authorisation Directory/Database Directory/Database Student data … … … … Student data … … … …
Authentication • Common Issues • Exposure of personal information • High administrative burden • Lack of traceability • Password leakage • Many passwords problem • Resource accessibility is restricted • Complicated to use
Shibboleth • Aims to: • Ensure no personal information is exposed unless necessary • Minimise the number of passwords a user needs to remember • Minimise the administrative burden • Enable user traceability • Be transparent to the user • Enable access from any location
Shibboleth User Authentication Request LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR
Shibboleth User Authentication 1.Request URL LEA/RBC (Origin) Resource (Target) Handle Service 5. Request URL + Handle + AA URL SHIRE 3. Request URL + SHIRE URL 2. Request URL + SHIRE URL WAYF 4. Username + password 6. Request URL + Handle + AA URL Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication 8. Handle returns User ID Resource(s) User Attributes (LDAP/SQL) 11. User Attributes 9. User Attributes 7. Request URL + Handle Attribute Authority SHAR 10. Request URL + User Attributes
Shibboleth User Authentication 1.Subsequent Request URL (Same Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF SHIRE has Cached Session & Handle = OK Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR SHAR has Cached Attributes = OK
Shibboleth User Authentication 1.Subsequent Request URL (Different Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF SHIRE has Cached Session & Handle = OK Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Handle returns User ID Resource(s) User Attributes (LDAP/SQL) Request New Domain Attributes Attribute Authority SHAR Return New Domain Attributes SHAR has no Cached Attributes for the new Domain so ask AA
Shibboleth User Authentication LEA/RBC (Origin) Resource (Target) Handle Service SHIRE Portal User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR
Pros Low administrative burden Exposure of personal information under user’s control Same identity for all resources User traceability Resources can be accessed from any location Cons (Possible) multi-stage authentication Shibboleth User Authentication
Shibboleth Demonstration 1 Shibboleth Target Windows 2003 Server IIS 6.0 7 Browser 2 6 4 3 5 LDAP Directory (Active Directory) Windows 2003 Server WAYF Service Windows 2003 Server IIS 6.0 Shibboleth Origin Windows XP Pro Apache Server 2.0.49
Shibboleth Demonstration Shibboleth Target Windows 2003 Server IIS 6.0 1 2 7 WAYF Service Browser 6 3 4 5 Shibboleth Origin Windows 2003 Server Apache Server 2.0.49 LDAP Directory (Active Directory)
Shibboleth http://shibboleth.internet2.edu “Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.” Judges 12:6